Privacy Policy

Last Updated: March 5, 2026

Sixty10 (“we,” “us,” or “our”) is committed to protecting your privacy and the confidentiality of your information, including Protected Health Information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website (sixty10.com) or use our platform and services (collectively, the “Service”).

1. Information We Collect

Account Information: When you register for an account, we collect your name, email address, organization name, phone number, and billing information.

Customer Data: Data you submit to the Service in the course of using the platform, including client records, documents, communications, workflow data, and any Protected Health Information (PHI) you choose to store in the Service.

Usage Data: We automatically collect information about how you interact with the Service, including IP address, browser type, device information, pages visited, features used, and access times. This data is collected through cookies, log files, and similar technologies.

Communications: When you contact us via email, forms, or support channels, we collect the content of your communications and any information you provide.

2. How We Use Your Information

We use the information we collect to: provide, maintain, and improve the Service; process transactions and send related information; respond to your inquiries and provide customer support; send administrative notifications about the Service; monitor and analyze usage patterns and trends to improve user experience; detect, prevent, and address technical issues and security threats; comply with legal obligations, including HIPAA requirements; and enforce our Terms and Conditions.

3. Protected Health Information (PHI) and HIPAA

Sixty10 recognizes its obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. When we receive, create, maintain, or transmit PHI on behalf of a Covered Entity or Business Associate, we do so under the terms of a Business Associate Agreement (BAA).

PHI Protections: We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C), including: AES-256-GCM encryption for PHI at rest and in transit; field-level encryption for designated PHI data fields across the platform; role-based access controls ensuring only authorized personnel access PHI; comprehensive audit logging of all access to and modifications of PHI; configurable session timeouts to prevent unauthorized access; and secure data backup and disaster recovery procedures.

Use and Disclosure of PHI: We will not use or disclose PHI except as permitted or required by the BAA, as necessary to provide the Service, or as required by law. We apply the Minimum Necessary Standard to all uses and disclosures of PHI. We do not sell PHI. We do not use PHI for marketing purposes. We do not use PHI to train general-purpose AI models.

Individual Rights: Individuals whose PHI is stored in the Service may have rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. These requests should be directed to the Covered Entity (our Customer), who will coordinate with Sixty10 as necessary.

4. Business Associate Agreement (BAA)

Sixty10 will execute a Business Associate Agreement with any Customer that qualifies as a Covered Entity or Business Associate under HIPAA before any PHI is submitted to the Service. The BAA establishes: the permitted and required uses and disclosures of PHI; the safeguards Sixty10 will maintain; breach notification obligations and timelines; obligations upon termination, including return or destruction of PHI; and Sixty10’s obligations to ensure subcontractors comply with equivalent protections. To request a BAA, contact us at [email protected].

5. Data Security

We implement and maintain commercially reasonable security measures designed to protect your information, including: encryption of all data in transit (TLS 1.2+) and at rest (AES-256-GCM); field-level encryption for sensitive and PHI data fields; role-based access controls with principle of least privilege; multi-factor authentication options; comprehensive audit logging with tamper-evident records; regular vulnerability assessments and penetration testing; secure software development lifecycle practices; employee security awareness training; incident response and breach notification procedures; and secure, geographically redundant backup systems.

6. Breach Notification

In the event of a breach of unsecured PHI, Sixty10 will notify the affected Customer without unreasonable delay and no later than sixty (60) calendar days after discovery, in accordance with 45 CFR 164.410. The notification will include: identification of individuals whose PHI was or may have been affected; a description of the nature of the breach; steps individuals should take to protect themselves; what Sixty10 is doing to investigate, mitigate, and prevent future breaches; and contact information for further inquiries. For non-PHI data breaches, Sixty10 will notify affected Customers promptly and in accordance with applicable state data breach notification laws, including the California Consumer Privacy Act (CCPA) where applicable.

7. AI Data Processing

The Service includes AI-powered features that process Customer Data, including PHI where applicable. AI processing is performed solely to deliver the requested Service functionality. Customer Data processed by AI features is not used to train, improve, or develop general-purpose AI models. AI-generated outputs are derived from Customer-provided data and the platform’s knowledge base. All AI processing is subject to the same security safeguards, access controls, and audit logging as other Service functions.

8. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to collect Usage Data and improve your experience. We use: essential cookies required for the Service to function; analytics cookies (Google Analytics) to understand how visitors interact with our website; and preference cookies to remember your settings. You can control cookie preferences through your browser settings. Disabling certain cookies may limit your ability to use some features of the Service. Our website analytics do not collect or process PHI.

9. Third-Party Services

We may use third-party service providers to assist in delivering the Service. These providers are bound by contractual obligations to protect your information and, where applicable, are subject to Business Associate Agreements. We do not sell, rent, or trade your personal information or Customer Data to third parties for marketing purposes.

10. Data Retention

We retain Customer Data, including PHI, for as long as your account is active or as needed to provide the Service. Upon termination of your account, we will make your data available for export for thirty (30) days. After this period, we will securely delete or destroy all Customer Data in accordance with HIPAA requirements and our data retention policies. We may retain de-identified or aggregated data that cannot reasonably be used to identify any individual for analytics and service improvement purposes.

11. Your Rights

California Residents (CCPA/CPRA): If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale or sharing of personal information (we do not sell personal information); and not be discriminated against for exercising your privacy rights.

All Users: You may request access to, correction of, or deletion of your account information by contacting us at [email protected]. For PHI-related requests, please contact the Covered Entity (our Customer) who manages your data.

12. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where required, by email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us at: [email protected]

To request a Business Associate Agreement (BAA), contact: [email protected]